﻿ Chapter 11 SOA and Web Services Security SOA基本架构 SOA威胁框架 Chapter 12 SOA Attack Vectors and Scanning for Vulnerabilities Profiling Web services(分析 Web Services) 使用wsScanner分析Web Services: TECHNOLOGY FINGERPRINTING AND ENUMERATION（分析后台架构） 通过ASMX AND JWS EXTENSIONS（后缀名）、响应信息分析后台技术架构 XML POISONING WITH SAX PARSING XML POISONING WITH DOM PARAMETER TAMPERING（参数篡改） Metacharacter injection Data type mismatch Large buffer Abnormal values Sequence breaking TAMPERING WITH DATA TYPES OF THE SOAP MESSAGE（数据类型篡改） 通过输入不同类型的数据，可能引发异常信息返回 More information leaks mean more pieces of this Web services jigsaw puzzle that fit. As this set of information is collected and put into perspective, we may be able to draw a better picture about the technology and application layer logic in use and other significant information. SQL INJECTION WITH SOAP MANIPULATION（SQL注入） 输入双引号：

"

响应：

soap:ServerServer was unable to process request. --> Cannot use empty object or column names. Use a single space if necessary. Unclosed quotation mark before the character string ''. Line 1: Incorrect syntax near ''.

Ljubicic proves too good for MoyaAll emotions crossed his face. Anger, disappointment, annoyance. But Ivan Ljubicic didn't afford himself a smile till he smacked a forehand crosscourt winner. Chennai Open: Home hopes dashed when Rohan Bopanna struck the ball so hard that once he took off his own name plate from the scoreboard. The other time, he nearly decapitated Petr Pala. Atwal heroics not enough for Asia. Arjun Atwal led the fightback for Asia who however fell just short as Europe won the inaugural Royal Trophy by a 9-7 margin here on Sunday.

if the cookie is constructed using a weak algorithm, it can be vulnerable to easy guesses by another user. This may lead to session hijacking. Another potential hazard is unencrypted HTTP traffic sniffed over the network and replayed. Session Fixation（Session固定） Session Fixation 翻译过来就是 “Session 完成攻击”，以前的老的应用里可能比较常见这种问题，但是随着现在web应用越来越复杂，这种问题已经很少了。 先理解这个攻击，打个比方： 1. 你花钱买了一辆车 2. 你把车钥匙复制了一把 3. 你把这辆车卖给了一个冤大头 4. 冤大头同学花钱买了辆2手车，结果在某天你趁他不在，用事先复制好的钥匙把车开走了！ 这个过程就是一个 Session Fixation 的过程，车钥匙就是 Session ID。 这类问题的本质在于：WEB应用在认证后没有改写或者更新session，从而导致了认证前的session还能使用。 如果攻击者事先能够获知该session ID，则可以欺骗用户使用该session ID进行认证，认证后，由于session ID不变，但是该session变成了一个认证后的session，从而攻击者可以直接使用该session ID以用户身份通过系统的认证。 在Web环境里，用户浏览页面时服务器会产生一个session，然后session ID会放在客户端，比如在浏览器URL里，或者是cookie里。用户持有这个session ID，服务器就可以找到他的session。用户输入用户名和密码后，系统对该session进行认证。认证成功，该session就是一个认证后的session，服务器就知道该用户认证过了，用户访问认证页面时就不再需要每次输入用户名和密码了。 常见的利用Session Fixation的方法一般是发送一个link到邮件里，诱骗用户点击后登录，使得该session通过认证，比如： http://www.fvck.com/auth?session=xxxxxxx 要对抗这种攻击，很简单，就是认证后重新生成一个session就可以了，甚至是增改当前session都能起到这个目的。 Session Hijacking（Session劫持） HTTP是一种无状态的连接，会话状态的保持只能通过服务器端的SESSION来维持。SESSION认证依赖于颁发给用户的一个唯一的ID号。用户浏览器向服务器发送一个ID，服务器端存在该会话ID则认为该用户和会话用户为同一人。恶意攻击者可以通过嗅探网络中的COOKIE信息冒用其它用户的SESSION ID，从而冒充合法用户，这就是SESSION劫持。 COOKIE除了保存会话ID，还常常用于记住密码功能，避免繁琐的登录。大部分网站都将帐号密码保存于COOKIE中，这增加了风险：COOKIE传输过程中被第三方窥探、COOKIE文件被恶意拷贝、离线构造COOKIE破解密码……这一切都应该归于COOKIE欺骗。 现有的办法是使用SSL安全传输，但增加了开销，大部分网站都无法承担整站SSL带来的巨大资源消耗，往往是登录页使用SSL，其它页面依旧是透明的HTTP。这对SESSION劫持毫无用处。 利用IP、Mac地址等来唯一标识请求来源 参考： http://blog.csdn.net/huangkaixuan/article/details/7614547 http://msdn.microsoft.com/zh-cn/magazine/cc300500(en-us).aspx http://hi.baidu.com/yangyuenfei/item/c516c234f6544c483075a1f7 Chapter 13 Web 2.0 Application Fuzzing for Vulnerability Detection and Filtering for Countermeasures WEB 2.0 APPLICATION FUZZING FUZZING XML STREAMS One can analyze these responses and identify possible vulnerabilities. For example, in the above case, we get a string saying“Error in running statement” that is clearly pointing to some sort of SQL statement issue. One can investigate the issue in detail. FUZZING JSON STREAMS Having access to the JSON stream, one can do full-blown penetration and application assessment testing on it. It is possible to do, for example, SQL injections, LDAP/XPATH injections, user/pass brute forcing on these JSON streams. The application resource may fail and cough up some critical information back to the attacker and can open a security hole. WEB 2.0 APPLICATION FIREWALL AND FILTERING 防御方法： To overcome this critical problem, there are two possible solutions: 1. Applying powerful Web 2.0 content filtering capability such as implementing an XML firewall or JSON filtering to protect these streams 2. Secure coding and proper input validation before receiving input from these Web 2.0 streams WEB 2.0 FIREWALL AND FILTERING WITH MODSECURITY http://www.modsecurity.org/ WEB 2.0 FIREWALL WITH IHTTPMODULE IN .NET Microsoft’s .NET framework includes two interfaces: IHttpModule and IHttpHandler. These two interfaces can be leveraged to provide application-level defenses customized to application level, folder level, or variable level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .NET framework on IIS. Chapter 14 Web 2.0 Application Defenses by Request Signature and Code Scanning